Lines Matching +full:1 +full:as +full:- +full:2020

1 // SPDX-License-Identifier: GPL-2.0-only
3  * Landlock - Ptrace and scope hooks
5  * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
6  * Copyright © 2019-2020 ANSSI
7  * Copyright © 2024-2025 Microsoft Corporation
33  * domain_scope_le - Checks domain ordering for scoped ptrace
46 	/* Quick return for non-landlocked tasks. */
53 	for (walker = child->hierarchy; walker; walker = walker->parent) {
54 		if (walker == parent->hierarchy)
69 	return -EPERM;
73  * hook_ptrace_access_check - Determines whether the current process may access
83  * granted, -errno if denied.
92 	/* Quick return for non-landlocked tasks. */
100 		err = domain_ptrace(parent_subject->domain, child_dom);
117 			.layer_plus_one = parent_subject->domain->num_layers,
124  * hook_ptrace_traceme - Determines whether another process may trace the
133  * process, returning 0 if permission is granted, -errno if denied.
145 	err = domain_ptrace(parent_subject->domain, child_dom);
163 		.layer_plus_one = parent_subject->domain->num_layers,
169  * domain_is_scoped - Checks if the client domain is scoped in the same
170  *		      domain as the server.
177  * unless the @server is also scoped in the same domain as @client.
190 	client_layer = client->num_layers - 1;
191 	client_walker = client->hierarchy;
194 	 * than client->num_layers to ensure the following loop stops.
196 	BUILD_BUG_ON(sizeof(client_layer) > sizeof(client->num_layers));
198 	server_layer = server ? (server->num_layers - 1) : -1;
199 	server_walker = server ? server->hierarchy : NULL;
203 	 * as the server's domain, and checks that none of these client's
206 	for (; client_layer > server_layer; client_layer--) {
210 		client_walker = client_walker->parent;
213 	 * Walks server's parent domains down to the same hierarchy level as
216 	for (; server_layer > client_layer; server_layer--)
217 		server_walker = server_walker->parent;
219 	for (; client_layer >= 0; client_layer--) {
229 		client_walker = client_walker->parent;
230 		server_walker = server_walker->parent;
241 	lockdep_assert_held(&unix_sk(other)->lock);
242 	dom_other = landlock_cred(other->sk_socket->file->f_cred)->domain;
249 	struct unix_address *addr = unix_sk(sock)->addr;
254 	if (addr->len >= offsetof(struct sockaddr_un, sun_path) + 1 &&
255 	    addr->name->sun_path[0] == '\0')
274 	/* Quick return for non-landlocked tasks. */
281 	if (!sock_is_scoped(other, subject->domain))
292 		.layer_plus_one = handle_layer + 1,
294 	return -EPERM;
312 	if (unix_peer(sock->sk) == other->sk)
315 	if (!is_abstract_socket(other->sk))
318 	if (!sock_is_scoped(other->sk, subject->domain))
326 				.sk = other->sk,
329 		.layer_plus_one = handle_layer + 1,
331 	return -EPERM;
365 	/* Quick return for non-landlocked tasks. */
371 		is_scoped = domain_is_scoped(subject->domain,
385 		.layer_plus_one = handle_layer + 1,
387 	return -EPERM;
397 	lockdep_assert_held(&fown->lock);
398 	subject = &landlock_file(fown->file)->fown_subject;
403 	 * subject->domain has already been filtered when saved by
407 	if (!subject->domain)
412 		is_scoped = domain_is_scoped(subject->domain,
427 		.layer_plus_one = landlock_file(fown->file)->fown_layer + 1,
430 	return -EPERM;